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DETAILED ACTION 

1 . Currently pending claims are 1 - 35. 

Response to Arguments 

2. Applicant's arguments with respect to the subject matter of the instant claims have been 
fully considered but are not persuasive. 

3. As per claim 1, Applicant asserts (a) the access rights that are defined by preloaded 
attribute certificates in Anderson do not disclose or render obvious the recitations of Claim 1 and 
(b) the downloaded object includes access permissions and other permission information to be 
associated with policy contained in the downloaded object as well as access permissions 
already existing in the apparatus (Remarks: Page 12 / 2 nd Para) and (c) the object enhancing 
the application interface with the new routines and/or new functions (Remarks: Page 11 /1 st 
Para). Examiner respectfully disagrees with the following rationale: 

• Regarding issue (a), Anderson teaches (i) attribute certificates are downloaded as 
well together with the downloaded objects to control the download application / function 
access permission (i.e. digital rights) (Anderson: Column 2 Line 50 - 54) and besides, 
(ii) the attribute certificates (i.e. access rights) can be built into the smart card at the 
manufacturer (i.e. pre-loaded) or can be download over the air into the smart card to 
allow the service provider to update the certificates (i.e. access rights) (Anderson: 
Column 4 Line 35 -40). 

• Regarding issue (a), Anderson also teaches the download attribute certificate 
contains at least other permission information specifying a generic profile that controls 
one or several other applications to be associated with the profile such as signature, 
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issuer and validity about access rights (Anderson: Column 3 Line 54 - Column 4 Line 2) 
and as such Anderson does teach the downloaded object includes access permissions 
and other permission information to be associated with policy contained in the 
downloaded object as well as access permissions already existing in the apparatus. 
• Regarding issue (a), Anderson teaches the user can download the new functions or 
applications such as tools to upgrade the user device / apparatus (e.g. telephone) 
application interface ((Anderson: Column 2 Line 39 - 41). 

Claim Rejections - 35 USC § 102 

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 1 02 that form the 
basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(a) the invention was known or used by others in this country, or patented or described in a printed 
publication in this or a foreign country, before the invention thereof by the applicant for a patent. 
NOTE: The term "others" in 35 U.S.C. 1 02(a) refers to any entity which is different from the inventive entity. 
The entity need only differ by one person to be "by others." This holds true for all types of references eligible 
as prior art under 35 U.S.C. 1 02(a) including publications as well as public knowledge and use. 

4. Claims 1 - 3 and 9-20 are rejected under 35 U.S.C. 102(a) as being anticipated by 
Anderson (EP 1361527 A1). 

As per claim 1 and 18, Anderson teaches a method of providing a dynamic security 
management in an apparatus, the apparatus comprising: 

a platform for running an application (Anderson: Figure 1); 

a security manager for handling access of the application to functions existing in 
the apparatus (Anderson: Figure 1 / Element 7); 
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an application interface between the platform and the application (Anderson: Figure 
1 / Element 4: API (Application Interface)); 

a set of access permissions stored in the apparatus and used by the security 
manager for controlling access of the application to functions through the application 
interface (Anderson: Column 3 Line 12 - 24) the method comprising: 

downloading into the apparatus an object containing access permissions and 
other permission information to be associated with policy contained in the downloaded 
object as well as access permissions already existing in the apparatus, wherein the 
permissions are applicable to at least one function, the object comprising new routines 
and/or new functions (Anderson: Column 2 Line 39-41 / Line 50 - 54, Column 3 Line 12-19 
and Column 3 Line 54 - Column 4 Line 2: the download attribute certificate along with the 
downloaded objects to control access permission (i.e. digital rights) contains at least other 
permission information specifying a generic profile that controls one or several other 
applications to be associated with the profile such as signature, issuer and validity about access 
rights); 

verifying the object (Anderson: Column 4 Line 21 - 24); and 

installing the access permissions together with the existing permissions, the object 

enhancing the application interface with the new routines and/or new functions (Anderson: 

Column 4 Line 28-30). 

As per claim 14 and 31, Anderson teaches a method of providing a dynamic security 
management in an apparatus, the apparatus comprising: 

a platform for running an application (Anderson: Figure 1); 
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a security manager for handling access of the application to functions existing in the 
apparatus (Anderson: Figure 1 / Element 7); 

an application interface between the platform and the application (Anderson: Figure 1 / 
Element 4: API (Application Interface)); 

a set of access permissions stored in the apparatus and used by the security manager 
for controlling access of the application to functions through the application interface (Anderson: 
Column 3 Line 12-24 and Column 2 Line 50 - 54), the method comprising: 

storing the access permissions in a security policy (Anderson: Column 4 Line 49 - 58 
and Column 3 Line 56 - 58: access permission information is indeed related to a security 
policy); and 

providing the security policy with a hierarchical structure (Anderson: Column 4 Line 49 - 
58 / Line 3-30 and Figure 2: (a) a hierarchical structure of a set of root-certificates and 
attribute certificates; (b) where the root-certificate is mapped to an attribute certificate through 
an identifier (e.g. public key)). 

As per claim 2 and 19, Anderson teaches the object is verified by checking a certificate 
chain of the object (Anderson: Column 4 Line 20 - 38). 

As per claim 3 and 20, Anderson teaches verifying that a policy of the function allows 
updates (Anderson: Column 3 Line 20 - 24 and Column 4 Line 35 - 38). 

As per claim 9 and 26, Anderson teaches the access permissions are contained in a 
policy file (Anderson: Column 3 Line 56 - 58: access permission information is indeed related to 
a security policy). 
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As per claim 10 and 27, Anderson teaches the policy file has a structure linking access 
levels of existing functions with a domain associated with the downloaded object (Anderson: 
Column 4 Line 4 - 57: (a) permission rights must be associated with an access level according 
to a security policy and (b) a set of structures (e.g., permission certificates) are linked with an 
identifier (e.g., signature / public key identifier), which is qualified as a domain ID - i.e. a group / 
domain of mapped certificates ). 

As per claim 1 1 , 1 6, 28 and 33, Anderson teaches the policy file has a structure linking 
access levels of existing functions with information contained in a certificate chain (Anderson: 
Column 4 Line 20 - 38 and Column 4 Line 4 - 57). 

As per claim 12, 17, 29 and 34, Anderson teaches the information includes a signature 
of the end entity certificate, a signature of an intermediate certificate, or specific level 
information (level OID) (Anderson: Column 4 Line 19 - 24: a signature). 

As per claim 13 and 30, Anderson teaches the policy file has a structure including logical 
expressions (Anderson: Column 4 Line 50 - 54: a file structure indeed includes logical 
expressions). 

As per claim 15 and 32, Anderson teaches the security policy has a structure linking 
access levels of existing functions with a domain associated with the downloaded object 
(Anderson: Column 4 Line 4 - 57 / Line 20 - 38: (a) permission rights must be associated with 
an access level according to a security policy and (b) a set of structures (e.g., permission 
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certificates) are linked with an identifier (e.g., signature / public key identifier), which is qualified 
as a domain ID - i.e. a group / domain of mapped certificates ). 

As per claim 35, Anderson teaches the apparatus is a portable telephone, a pager, a 
communicator, a smart phone, or an electronic organizer (Anderson: Column 2 Line 37 - 41). 

Claim Rejections - 35 USC §103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

5. Claims 4-8 and 21 - 25 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Anderson (EP 1361527 A1), in view of Yarsa et al. (U.S. Patent 6,760,912). 

As per claim 4, 7, 21 and 24, Anderson does not disclose expressly installing a library 
comprising new routines and/or new functions to be called by an application or another library 
stored in the apparatus to enable access of functions through the application interface. 

Yarsa teaches installing a library comprising new routines and/or new functions to be 
called by an application or another library stored in the apparatus to enable access of functions 
through the application interface (Yarsa: Column 3 Line 9 - 20: DLL Library routines called by 
an applet class application program with built-in security mechanism). 

It would have been obvious to a person of ordinary skill in the art at the time the 
invention was made to combine the teaching of Yarsa within the system of Anderson because 



Application/Control Number: 10/589,171 Page 8 

Art Unit: 2431 

(a) Anderson teaches a security mechanism of defining a generic profile for controlling an 
interface in connection with applications so that the application is allowed limited access to 
existing software / function through an interface (Anderson: Column 3 Line 55 - 58 and Column 
2 Line 50 - 54), and (b) Yarsa teaches an improved security mechanism on API (Application 
Interface) by providing functions with built-in dynamic link library (.DLL), namely, native code 
library, and accessed through the Java Native Interface (JNI) by a class that has access rights 
to load DLL library codes (Yarsa: Column 3 Line 9 - 20: DLL Library routines called by an applet 
class application program with built-in security mechanism). 

As per claim 5, 8, 22 and 25, Anderson as modified teaches the new routines and/or 
new functions can access existing functions through the library (Yarsa: Column 3 Line 9 - 20). 

As per claim 6 and 23, Anderson as modified teaches when accessing functions, 
recursively checks the permissions of the application interfaces and libraries in a linked chain 
related to the called functions (Yarsa: Column 3 Line 9 - 20). 

Conclusion 

THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as 
set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
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CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the mailing date 
of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner 
should be directed to LONGBIT CHAI whose telephone number is (571)272-3788. The 
examiner can normally be reached on Monday-Friday 9:00am-5:00pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, William R. Korzuch can be reached on 571-272-7589. The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private 
PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you 
would like assistance from a USPTO Customer Service Representative or access to the 
automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/Longbit Chai/ 

Longbit Chai E.E. Ph.D 
Primary Examiner, Art Unit 2431 
7/01/2009 



